Cheers Jay, I'll be making a post at some point on some tips for securing a web server. I know obviously there were some shortcomings in OS-Scape configurations, but this was because of the various flaws in the IPB forum software and the unfortunate event of our admins password became compromised so the hacker had an entry point to exploit IPB's security shortcomings.
For now, few things that RSPS owners can do to their websites:
- Use CloudFlare Pro, its $20 a month and gives you a WAF (web application firewall) which has a bunch of useful built in rules to stop common exploits.
- Only allow addresses originating from CloudFlare IPs
- Disable all vulnerable PHP functions in your config
- Ideally avoid IPB, but if you can't just make sure to allow only access for ANY staff member to login by using 2FA not just protected areas (as the admin hacked on OSS was compromised before he setup 2FA and then the hacker setup 2FA)
- More IPB security tips:
https://www.rootusers.com/how-to-sec...wer-board-ipb/
- Use separate Docker containers for your main site and forum and use a different network interface for each
- Ensure your folders use the following permission set: directories to 755 and your files to 644
- Host client links external to your site and code sign where possible
- Set your allowed file types to only accept images/videos for posts to avoid XSS attempts
- Ensure you are using up to date application versions